LiteStats iconLitestats
← Back to Blog
Technical9 min read

Cookieless Tracking Explained: How It Works Without Cookies

Cookies have been the foundation of web analytics for over two decades. But with growing privacy regulations and browser restrictions, a new generation of analytics platforms works entirely without them. Here's how.

How traditional cookie-based analytics work

When you visit a website running Google Analytics, the analytics script sets a cookie on your browser. This cookie contains a unique identifier — a client ID — that persists across sessions. Every time you return, the cookie is read and your visit is attributed to the same user profile.

This is how traditional analytics distinguish between "new" and "returning" visitors, build multi-session user journeys, and attribute conversions across visits. It's effective, but it comes with a trade-off: you're storing data on the visitor's device, which triggers legal consent requirements under the ePrivacy Directive and GDPR.

What "cookieless" actually means

Cookieless tracking means the analytics platform does not set any cookies on the visitor's browser. No first-party cookies, no third-party cookies, no tracking pixels that rely on cookie-based identification. The visitor's browser remains untouched.

It's important to distinguish cookieless analytics from "cookieless tracking" methods used in advertising, which sometimes substitute cookies with device fingerprinting or probabilistic ID matching. Privacy-first cookieless analytics avoid all of these techniques. The goal is to measure traffic without identifying individual visitors.

Session-based identification

Instead of cookies, privacy-first analytics use the browser's sessionStorage API to generate a random session identifier. This identifier exists only for the duration of the browser tab and is automatically deleted when the tab is closed. It is not shared across tabs, windows, or different websites.

Here's how it works in practice:

  1. A visitor opens your website
  2. The analytics script generates a random UUID (e.g. crypto.randomUUID())
  3. This UUID is stored in sessionStorage — not a cookie
  4. Every pageview during that tab session includes the same UUID
  5. When the tab is closed, the UUID is automatically deleted
  6. If the visitor returns later, a completely new UUID is generated

This allows the analytics platform to group pageviews into sessions (e.g. "this visitor viewed 3 pages") without tracking who that visitor is across sessions or devices.

What data is collected

Cookieless analytics collect aggregate, non-personal data. A typical pageview event includes:

  • Page URL: Which page was viewed
  • Referrer: Where the visitor came from (Google, Twitter, a blog post, etc.)
  • User agent: Parsed into browser type, operating system, and device category — the raw string is not stored
  • Country: Derived from the IP address at the server level — the IP itself is never stored or logged
  • Timestamp: When the pageview occurred
  • Session ID: A random UUID from sessionStorage, used only to group pageviews in the same tab session
  • UTM parameters: Campaign source, medium, and name (if present in the URL)

No names, no emails, no IP addresses, no device fingerprints, no persistent identifiers. The data is inherently anonymous because there's no mechanism to link it to a specific person.

How country detection works without storing IPs

One common question is how cookieless analytics determine the visitor's country without storing their IP address. The answer is that the IP is used transiently — at the moment the server receives the pageview request, it looks up the country from the IP address using a GeoIP database, then immediately discards the IP. Only the country code (e.g. "IE" for Ireland) is stored in the analytics database.

A country code alone is not personal data. It cannot identify a specific individual. It's the same category of information as "this visitor used Chrome on Windows" — useful for aggregate analysis, useless for identification.

What you can and can't measure

Cookieless analytics provide accurate data for the metrics most websites actually need:

You can measure

  • Total pageviews and unique visitors (per session)
  • Top pages and landing pages
  • Traffic sources and referrers
  • Campaign performance (via UTM parameters)
  • Browser, device, and OS breakdown
  • Country-level geographic data
  • Bounce rate and session duration
  • Real-time active visitors

You cannot measure

  • Individual user journeys across multiple sessions
  • New vs returning visitor distinction (since there's no persistent identifier)
  • Cross-device tracking
  • User-level cohort analysis
  • Multi-touch attribution models

For most websites — blogs, SaaS marketing sites, portfolios, small businesses — the "can measure" list covers everything that matters. The "can't measure" list is relevant primarily for large e-commerce sites or complex multi-channel attribution scenarios.

Why sessionStorage is not a cookie

Under the ePrivacy Directive, the consent requirement applies to "storage of information, or access to information already stored, in the terminal equipment of a subscriber or user." Cookies clearly fall under this definition. But sessionStorage used for a random session identifier that enables the analytics service the user is implicitly requesting (by visiting the site) is considered "strictly necessary" for the service.

Key differences between cookies and sessionStorage:

  • Persistence: Cookies survive browser closure; sessionStorage is deleted when the tab closes
  • Scope: Cookies are sent with every HTTP request to the domain; sessionStorage is only accessible via JavaScript on that specific page
  • Cross-tab: Cookies are shared across tabs; sessionStorage is isolated per tab
  • Tracking capability: Cookies enable cross-session identification; sessionStorage does not

The accuracy question

A common objection to cookieless analytics is accuracy. If you're not tracking individuals across sessions, aren't your numbers less accurate?

Paradoxically, cookieless analytics can be more accurate for aggregate metrics. Traditional analytics that require consent only see the visitors who accept cookies — typically 30-60% of total traffic. Cookieless analytics see 100% of traffic because no consent is needed. Your pageview counts, traffic source data, and geographic breakdown reflect your actual audience, not just the portion that clicked "Accept."

See cookieless tracking in action. Try the live demo or read how the LiteStats tracking script works.